Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

Geo blocking issue for LAN network

Hi Team,

 

We are facing issue after enabling Geo blocking for other country except India.

 

Policy which I have configured -

 

Incoming interface - SDWAN interface

Outgoing Interface - Vlan Interface.

Source country - India

Destination - VIP

NAT - Natted IP (1.1.1.1-100.100.100.1) For example

Policy - Accept

 

Issue  that has been observed - Internal servers are not able to access site - for example - www.xxx.com

which VIP is mapped with this policy

 

When I enabled source - ALL that time is everything is going on smoothly.

 

thank you.

 

 

 

 

 

1 Solution
Umesh
Contributor

Hello team,

 

I have followed below Geo IP code from documents of Fortigate after that issue has been resolved.

 

Steps have been taken by as follows:

1. Source country have chosen - India

2. Create one test Geo location added in the policy - Set country ZZ.

 

Below is the link: for Specials code of Geo IP

 

ZZ - Reserved (IP addresses that are not assigned, e.g., 10.0.0.0/24)

For more information please refer the below documents.

https://docs.fortinet.com/document/fortiadc/7.4.1/handbook/522244/special-geo-codes

 

Thank you.

View solution in original post

5 REPLIES 5
abarushka
Staff
Staff

Hello,

 

Is there particular reason why traffic is NATed?

 

Moreover, you may consider to verify GEO IP category:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Commands-to-verify-GeoIP-information-and/t...

FortiGate
pminarik
Staff
Staff

If this policy is used for access from LAN devices as well (~hairpin NAT), you will need to add your local subnets into the list of permitted sources in that policy.

[ corrections always welcome ]
Jakob-AHHG
Contributor II

Hi Umesh,

You had another thread with the initial configuration of this as well, so not sure what you ended up with, but:

1: Does this work when you disable this rule?
2: This seems to be a Firewall rule, no a Local In rule, so it will block you other local servers from accessing the server on VirtualIP NAT.

 

I would:

1: Make sure everything works on a routing level, without this rule enabled.

2: Make internal DNS that points to 'www.xxx.com' on the internal IP - unless you have a Very good reason to access that server via the public IP (making more load on the firewall!)

 

It would also be helpful to know, if you're setting up a new firewall or this is an existing installation you try to 'harden'.

Jakob Peterhänsel,
IT System Admin,
Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Jakob Peterhänsel,IT System Admin,Arp-Hansen Hotrel Group A/S, Copenhagen, DK
Umesh
Contributor

not resolved the issue

Umesh
Contributor

Hello team,

 

I have followed below Geo IP code from documents of Fortigate after that issue has been resolved.

 

Steps have been taken by as follows:

1. Source country have chosen - India

2. Create one test Geo location added in the policy - Set country ZZ.

 

Below is the link: for Specials code of Geo IP

 

ZZ - Reserved (IP addresses that are not assigned, e.g., 10.0.0.0/24)

For more information please refer the below documents.

https://docs.fortinet.com/document/fortiadc/7.4.1/handbook/522244/special-geo-codes

 

Thank you.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors